Splunk Search

How to display the results of my transaction search in a table?

Imjusttesting
Explorer

Hi Everyone,

I'm having an issue displaying transaction data in Table.
The end result should look like this:

No | Driver ID | Start Date | Start Time | End Date | End Time |
1  |ACBCD      |2/5/2016    |09:00       |2/5/2016  |18:00     |

There are 2 criteria:
1) Total driving time exceed 8 hrs within 24 hrs by Start Time
2) End time is determine by Gap of more than 30 minutes

My searchstring looks like this, but is not able to display as a table

sourcetype="xxxxxx" | transaction maxspan=8h maxpause=30m
| sort _time | streamstats count as TripNo by username
| table _time

Appreciate and feedback.

0 Karma
1 Solution

renjith_nair
Legend

Try this for table format

sourcetype="xxxxxx" | transaction maxspan=8h maxpause=30m| sort _time 
|streamstats count as TripNo by username|eval end=_time+duration
|eval "Start Date"=strftime(_time,"%d-%b-%Y")|eval "End Date"=strftime(end,"%d-%b-%Y")
|eval "Start Time"=strftime(_time,"%H:%M:%S")|eval "End Time"=strftime(end,"%H:%M:%S")
|table TripNo username "Start Date" "Start Time" "End Date" "End Time"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

Try this for table format

sourcetype="xxxxxx" | transaction maxspan=8h maxpause=30m| sort _time 
|streamstats count as TripNo by username|eval end=_time+duration
|eval "Start Date"=strftime(_time,"%d-%b-%Y")|eval "End Date"=strftime(end,"%d-%b-%Y")
|eval "Start Time"=strftime(_time,"%H:%M:%S")|eval "End Time"=strftime(end,"%H:%M:%S")
|table TripNo username "Start Date" "Start Time" "End Date" "End Time"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

Imjusttesting
Explorer

Thanks @renjith.nair

This work perfectly fine.
Now the next issues, are the criteria;
1) Total driving time exceed 8 hrs within 24 hrs by Start Time
2) End time is determine by Gap of more than 30 minutes

When i look at the Table, some of the data are not group within the 8 hours span and the Stop don't have a 30 mins gap

What the best way to deal with this?

0 Karma

renjith_nair
Legend

Sorry didn't quite get that .
By 1 , do you mean
You want to find transaction which span across 24 hours and then divide them in 8 hrs span? or you want only thos transactions which are more than 8 hours only?

By 2 , Gap between what? between two transactions?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

Imjusttesting
Explorer

Sorry, missed your message

1) I would like to include transaction which are more than 8 hours
2) The 30 mins gap is between the transaction. Meaning if there a 30 mins gap between the transaction, the next event will be a new event

0 Karma

renjith_nair
Legend

If you would like to include only transaction which are more than 8hrs, then i think maxpause won't work here since maxpause limits the transaction to 8 hours

     Syntax: maxpause=<int>[s | m | h | d]
    Description: Specifies the maximum time in seconds, minutes, hours, or days that the events can span. The maxpause constraint requires there be no pause between a transaction's events of greater than maxpause. If value is negative, disable the maxpause constraint. 
    Default: -1 (no limit)

You should use maxpause only if the driver is supposed to drive only "x" hours which is not your case i believe.

If you have any other uniquely identified fields in these events to co-relate two events rather than time based, that would make things easier

Once you correct the initial search , then you can add |where duration > 28800 to get the transactions more than 8 hours

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

Imjusttesting
Explorer

Thanks 🙂
Working good.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Without fixing anything else that may (or may not) be wrong with the search, your table doesn't include all the other items. Try something like...

sourcetype="xxxxxx" | transaction maxspan=8h maxpause=30m
| sort _time | streamstats count as TripNo by username
| table TripNo, username, start_date, start_time, end_date, end_time

You will obviously have to use your own fieldnames - you didn't provide a sample event to work with so I could only pseudo-code them up.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I'm also not sure this search will do quite what you want. I think your criteria 2 should be fine with your maxpause.

Criteria 1 - what actually do you mean? If you mean they CAN'T drive longer than 8 hours in a day, that's different from they SHOULDN'T drive more than 8 hours a day, which is completely different from "Find transactions where they DID drive longer than 8 hours in a 24 hour period." In several of those cases you may end up wanting maxspan=24h. You may have overlapping transactions within periods, though, which may force you to take a different tack. It would probably be worth a different question to answer that (to keep this one clean and easy to search), but there are answers for trickier things like that, see this as an example (the comments).

Those thoughts and links were just to get you started, hopefully just that bit of info will help you clarify what you are actually trying to display. If you need help with that, please ask, otherwise, have fun Splunking!

0 Karma

Imjusttesting
Explorer

The 1st criteria is, we only need to identify driver that are driving for more than 8 hours.
2nd criteria, the Stop, is identify if there is more than 30 mins Gap.
(The data are constantly send every 1 mins and if the engine is cut off, nothing is send. Thus if there is no event between 30 mins after the last record, then that is a Stop)

Hope this clarify everything

0 Karma

Imjusttesting
Explorer

Thanks.

I tried your search string, Tripno, Username are included but Start and End time are not included.
Is there any way to include the Start and End time?

I'm using the _time for all event.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...